Re-Signing An Expired CA Certificate
On rare occasions you may find yourself with a self-signed internal CA that has expired while you are still using certificates issued from the CA. One potential solution to this problem is to self-sign a new cert with identical fields using the private key from the old certificate.1
You can fill in almost all the fields using the interactive prompt, but to ensure maximum compatibility be sure every field matches exactly. You will also need to set the serial number of the certificate via the -set_serial parameter (openssl takes this argument in decimal form, not hex)2.
openssl req -new -x509 -key previousprivatekey.pem -set_serial 0000 -out newroot.cer
You now have a new root certificate that will work with your previously issued certificates!